Escolar Documentos
Profissional Documentos
Cultura Documentos
Chapter 6
Router Forensics
by Michael Gregg
■ Network Forensics
■ Searching for Evidence
■ An Overview of Routers
■ Hacking Routers
■ Router Attacks
■ Investigation of Routers
■ Incident Forensics
Summary
171
407_ADS_06.qxd 8/22/07 12:09 PM Page 172
Introduction
This chapter examines router and network forensics.This chapter is important as
many attacks will require the analyst to look for information in the router or require
network forensics.This requires you to have an understanding of routers and their
architecture. It is important to understand where they reside within the OSI model
and what role they play within network communications.
Anytime you work with forensic evidence it is critical that the concept of chain
of custody be understood. How evidence is handled, stored, accessed, and transported
is critical, because if basic control measures are not observed the evidence may be
ruled inadmissible in court.
Network Forensics
Network forensics can best be defined as the sniffing, recording, and analysis of net-
work traffic and events. Network forensics are performed in order to discover the
source of security incidents and attacks or other potential problems. One key role of
the forensic expert is to differentiate repetitive problems from malicious attacks.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 173
social engineer the help desk into giving him a phone number for a modem. Access
could be gained by finding vulnerability in the web server’s software. Just having the
access of an average user account probably won’t give the attacker very much control
or access to the network.Therefore, the attacker will attempt to escalate himself to
administrator or root privilege. Once escalation of privilege is complete the attacker
will work on ways to maintain access to the systems he or she has attacked and com-
promised. Hackers are much like other criminals in that they would like to make
sure and remove all evidence of their activities, which might include using root kits
to cover their tracks.This is the moment at which most forensic activities begin.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 174
line with the attrib command.This command is built into the Windows OS. It allows
a user to change the properties of a file. Someone could hide a file by issuing attrib
+h secret.txt.This command would render the file invisible in the command line
environment.This can also be accomplished through the GUI by right-clicking on a
file and choosing the hidden type.
Would the file then be invisible in the GUI? Well, that depends on the view set-
tings that have been configured. Open a browse window and choose tools/folder
options/view/show hidden files; then, make sure Show Hidden Files is selected.This
will display all files and folders, even those with the +h attribute set. Another way to
get a complete listing of all hidden files is to issue the command attrib /s >
attributes.txt from the root directory.The attrib command lists file attributes, the /s
function list all files in all the subdirectories, and > redirects the output to a text file.
This text file can then be parsed and placed in a spreadsheet for further analysis.
Crude attempts such as these can be quickly surmounted.
An Overview of Routers
Routers are a key piece of networking gear. Let’s know the role and function of a
router.
What Is a Router?
Routers can be hardware or software devices that route data from a local area net-
work to a different network. Routers are responsible for making decisions about
which of several paths network (or Internet) traffic will follow. If more than one path
is available to transmit data, the router is responsible for determining which path is
the best path to route the information.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 175
Routing Tables
Routers are one of the basic building blocks of networks, as they connect networks
together. Routers reside at layer 3 of the OSI model. Each router has two or more
interfaces.These interfaces join separate networks together. When a router receives a
packet, it examines the IP address and determines to which interface the packet
should be forwarded. On a small or uncomplicated network, an administrator may
have defined a fixed route that all traffic will follow. More complicated networks typ-
ically route packets by observing some form of metric. Routing tables include the
following type of information:
■ Bandwidth This is a common metric based on the capacity of a link. If all
other metrics were equal, the router would choose the path with the highest
bandwidth.
■ Cost The organization may have a dedicated T1 and an ISDN line. If the
ISDN line has a higher cost, traffic will be routed through the T1.
■ Delay This is another common metric, as it can build on many factors
including router queues, bandwidth, and congestion.
■ Distance This metric is calculated in hops; that is, how many routers away
is the destination.
■ Load This metric is a measurement of the load that is being placed on a
particular router. It can be calculated by examining the processing time or
CPU utilization.
■ Reliability This metric examines arbitrary reliability ratings. Network
administrators can assign these numeric values to various links.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 176
By applying this metric and consulting the routing table, the routing protocol can
make a best path determination. At this point, the packet is forwarded to the next
hop as it continues its journey toward the destination.
Router Architecture
Router architecture is designed so that routers are equipped to perform two main
functions: process routable protocols and use routing protocols to determine best
path. Let’s start by reviewing routable protocols.The best example of a routed pro-
tocol is IP. A very basic definition of IP is that it acts as the postman of the
Internet—its job is to organize data into a packet, which is then addressed for
delivery. IP must place a target and source address on the packet.This is similar to
addressing a package before delivering it to the post office. In the world of IP, the
postage is a TTL (Time-to-Live), which keeps packets from traversing the network
forever. If the recipient cannot be found, the packet can eventually be discarded.
All the computers on the Internet have an IP address. If we revert to our analogy
of the postal system, an IP address can be thought of as the combination of a zip
code and street address.The first half of the IP address is used to identify the proper
network; the second portion of the IP address identifies the host. Combined, this
allows us to communicate with any network and any host in the world that is con-
nected to the Internet. Now let us turn our attention to routing protocols.
Routing Protocols
Routing protocols fall into two basic categories, static and dynamic. Static, or fixed,
routing is simply a table that has been developed by a network administrator map-
ping one network to another. Static routing works best when a network is small and
the traffic is predictable.The big problem with static routing is that it cannot react to
network changes. As the network grows, management of these tables can become dif-
ficult. Although this makes static routing unsuitable for use on the Internet or large
networks, it can be used in special circumstances where normal routing protocols do
not function well.
Dynamic routing uses metrics to determine what path a router should use to
send a packet toward its destination. Dynamic routing protocols include Routing
Information Protocol (RIP), Border Gateway Protocol (BGP), Interior Gateway
Routing Protocol (IGRP), and Open Shortest Path First (OSPF). Dynamic routing
can be divided into two broad categories: link-state or distance vector dynamic
routing protocols, which are discussed in greater detail later in the chapter.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 177
RIP
RIP is the most common routing protocol that uses a hop count as its primary
routing metric. RIP is considered a distance vector protocol.The basic methodology
of a distance vector protocol is to make a decision on what is the best route by
determining the shortest path.The shortest path is commonly calculated by hops.
Distance vector routing is also called routing by rumor.
OSPF
OSPF is the most common link state routing protocol and many times, it is used as a
replacement to RIP. Link state protocols are properly called Dijkstra algorithms, as
this is the computational basis of their design. Link state protocols use the Dijkstra
algorithm to calculate the best path to a target network.The best path can be deter-
mined by one or more metrics such as hops, delay, or bandwidth. Once this path has
been determined, the router will inform other routers as to its findings.This is how
reliable routing tables are developed and routing tables reach convergence. Link state
routing is considered more robust than distance vector routing protocols. One reason
is because link state protocols have the ability to perform faster routing table updates.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 178
NOTE
Convergence is the point at which routing tables have become synchronized.
Each time a network is added or dropped, the routing tables must again
resynchronize. Routing algorithms differ in the speed at which they can
reach convergence.
Hacking Routers
Full control of a router can often lead to full control of the network.This is why
many attackers will target routers and launch attacks against them.These attacks may
focus on configuration errors, known vulnerabilities, or even weak passwords.
Router Attacks
Routers can be attacked by either gaining access to the router and changing the con-
figuration file, launching DoS attacks, flooding the bandwidth, or routing table poi-
soning.These attacks can be either hit-and-run or persistent. Denial of Service
attacks are targeted at routers. If an attacker can force a router to stop forwarding
packets, then all hosts behind the router are effectively disabled.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 179
Hardening Routers
The Router Audit Tool can be used to harden routers. Once downloaded, RAT
checks them against the settings defined in the benchmark. Each configura-
tion is examined and given a rated score that provides a raw overall score, a
weighted overall score (1-10), and a list of IOS commands that will correct any
identified problems.
Denial-of-Service Attacks
Denial-of-service (DoS) attacks fall into three categories:
■ Destruction. Attacks that destroy the ability of the router to function.
■ Resource consumption. Flooding the router with many open connec-
tions simultaneously.
■ Bandwidth consumption. Attacks that attempt to consume the band-
width capacity of the router’s network.
DoS attacks may target a user or an entire organization and can affect the avail-
ability of target systems or the entire network.The impact of DoS is the disruption
of normal operations and the disruption of normal communications. It’s much easier
for an attacker to accomplish this than it is to gain access to the network in most
instances. Smurf is an example of a common DoS attack. Smurf exploits the Internet
Control Message Protocol (ICMP) protocol by sending a spoofed ping packet
addressed to the broadcast address and has the source address listed as the victim. On
a multiaccess network, many systems may possibly reply.The attack results in the
victim being flooded in ping responses. Another example of a DoS attack is a SYN
flood. A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large
number of fake packets with the SYN flag set.This large number of half-open TCP
connections fills the buffer on victim’s system and prevents it from accepting legiti-
mate connections. Systems connected to the Internet that provide services such as
HTTP or SMTP are particular vulnerable.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 180
DDoS attacks are the second type of DoS attack and are considered multipro-
tocol attacks. DDoS attacks use ICMP, UDP, and TCP packets. One of the distinct
differences between DoS and DDoS is that a DDoS attack consists of two distinct
phases. First, during the preattack, the hacker must compromise computers scattered
across the Internet and load software on these clients to aid in the attack.Targets for
such an attack include broadband users, home users, poorly configured networks, col-
leges and universities. Script kiddies from around the world can spend countless
hours scanning for the poorly protected systems. Once this step is completed the
second step can commence.The second step is the actual attack. At this point the
attacker instructs the masters to communicate to the zombies to launch the attack.
ICMP and UDP packets can easily be blocked at the router, but TCP packets are dif-
ficult to mitigate.TCP-based DoS attacks comes in two forms:
■ Connection-oriented. These attacks complete the 3-way handshake to
establish a connection. Source IP address can be determined here.
■ Connectionless. These packets SYN are difficult t trace because source
An example of a DDOS tool is Tribal Flood Network (TFN).TFN was the first
publicly available UNIX-based DDoS tool.TFN can launch ICMP, Smurf, UDP, and
SYN flood attacks.The master uses UDP port 31335 and TCP port 27665.TFN was
followed by more advanced DDoS attacks such as Trinoo. Closely related to TFN,
this DDoS allows a user to launch a coordinated UDP flood to the victim’s com-
puter, which gets overloaded with traffic. A typical Trinoo attack team includes just a
few servers and a large number of client computers on which the Trinoo daemon is
running.Trinoo is easy for an attacker to use and is very powerful in that one com-
puter is instructing many Trinoo servers to launch a DoS attack against a particular
computer.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 181
Investigating Routers
When investigating routers there are a series of built-in commands that can be used
for analysis. It is unadvisable to reset the router as this may destroy evidence that was
created by the attacker.The following show commands can be used to gather basic
information and record hacker activity:
■ Show access list
■ Show clock
■ Show ip route
■ Show startup configuration
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 182
■ Show users
■ Show version
Chain of Custody
The chain of custody is used to prove the integrity of evidence.The chain of custody
should be able to answer the following questions:
■ Who collected the evidence?
■ How and where is the evidence stored?
■ Who took possession of the evidence?
■ How was the evidence stored and how was it protected during storage?
■ Who took the evidence out of storage and why?
There is no such thing as too much documentation. One good approach is to
have two people work on a case. While one person performs the computer analysis,
the other documents these actions. At the beginning of an investigation, a forensic
analyst should prepare a log to document the systematic process of the investigation.
This is required to establish the chain of custody.This chain of custody will docu-
ment how the evidence is handled, how it is protected, what process is used to verify
it remains unchanged, and how it is duplicated. Next, the log must address how the
media is examined, what actions are taken, and what tools are used. Automated tools
such as EnCase and The Forensic Toolkit compile much of this information for the
investigator.
Volatility of Evidence
When responding to a network attack, obtaining volatile data should be collected as
soon as possible. Although all routers are different, you will most likely be working
with Cisco products as Cisco has the majority of the market share. Cisco routers
store the current configuration in nonvolatile ram (NVRAM).The current configu-
ration is considered volatile data and the data is kept in Random Access Memory
(RAM). If the configuration is erased or the router powered down all information is
lost. Routers typically are used as a beachhead for an attack.This means the router
may play an active part in the intrusion.The attacker uses the router as a jumping off
point to other network equipment.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 183
When starting an investigation you should always move from most volatile to
least volatile.The first step is to retrieve RAM and NVRAM.To accomplish this you
may use a direct connection to the console port using RJ-45-RJ-45 rolled cable and
an RJ-45-to-DB-9 female DTE adapter. In instances when a direct connection is not
available a remoter session is the next preferred method. Insecure protocols such as
FTP should not be used; an encrypted protocol Secure Shell (SSH) is preferred.You
should make sure to capture both volatile and nonvolatile configuration for compar-
ison changes and documentation purposes. Cisco routers have multiple modes, so to
gain privilege mode the password must be known by the analyst.
Case Reports
Case reporting is one of the most important aspects of computer forensics. Just as
with traditional forensics everything should be documented. Reporting should begin
the minute you are assigned to a case. Although it may sometimes seem easier to
blindly push forward, the failure to document can result in poorly written reports
that will not withstand legal scrutiny.
Let’s face it, not all aspects of computer forensics are exciting and fun. Most of us
view paperwork as drudgery. It is a somewhat tedious process that requires an eye for
detail. Don’t allow yourself this fallacy. In the end, the documentation you keep and
the process you follow will either validate or negate the evidence.The report is key
in bringing together the three primary pieces of forensics: acquisition, authentication,
and analysis.
The case report will be the key to determining one of the following actions:
■ Employee remediation
■ Employee termination
■ Civil proceedings
■ Criminal prosecution
When the investigation is complete a final written report is prepared. Some of
the items found in this report will include:
■ Case Summary
■ Case Audit Files
■ Bookmarks
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 184
■ Selected Graphics
■ File Location Path
■ File Location Properties
Although this is not an all-inclusive list it should give you some indication of
what should be included. Depending on the agency or corporation, the contents of
the report will vary. What is consistent is that anyone should be able to use the logs
and the report to recreate the steps performed throughout the investigation.This
process of duplication should lead to identical results.
Incident Response
Incident response is the effort of an organization to define and document the nature
and scope of a computer security incident. Incident response can be broken into
three broad categories that include:
■ Triage. Notification and identification
■ Action/Reaction. Containment, analysis, tracking
■ Follow up. Repair and recovery, prevention
Compromises
Before a compromise can be determined, investigators must be alerted that some-
thing has happened. It is best if the alert function is automated as much as possible.
Otherwise, the sheer volume of log information would be overwhelming for an
employee. Even with a high level of automation someone must still make a judgment
regarding the validity of the alert. Once an attack has been validated it is important
to reduce the damage of the attack as quickly as possible and work to restore normal
business functions.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 185
Summary
In this chapter, we reviewed how routers can play an important part in forensics.
Readers were introduced to routed protocols such as IP and we discussed how
routed protocols work. In many ways, IP acts as a “postman” since its job is to make
the best effort at delivery. In a small network or those that seldom change, the route
that the IP datagrams take through the network may remain static or unchanged.
Larger networks use dynamic routing. Administrators use routing protocols such as
RIP for dynamic routing. We also looked at how attackers attack routers and how
incident response relates to routers and router compromises.
Overview of Routers
Routers are designed to connect dissimilar protocols.
Routers deal with routing protocols.
Common routing protocols include RIP and OSPF.
Hacking Routers
Routers can be attacked by exploiting misconfigurations or vulnerabilities.
Routers need to have logging enabled so sufficient traffic is captured to aid
in forensic investigations.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 186
Incident Response
Monitoring for incidents requires both passive and active tasks.
Incident response requires development of a policy to determine the proper
response.
Q:What are the different ways in which the network can be attacked?
A: Attacks typically target availability, confidentiality, and integrity. Loss of any one of
these items constitutes a security breach.
Q: How does a forensic analyst know how deeply to look for information?
A: Some amount of information can be derived from looking at the skill level of the
attacker. Attackers with little skill are much less likely to use advanced hiding
techniques.
www.syngress.com
407_ADS_06.qxd 8/22/07 12:09 PM Page 187
www.syngress.com